my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme';
sub supported_challenge_types {
- return { 'dns-01' => 1 };
+ return ["dns-01"];
}
sub type {
sub options {
return {
api => {},
- data => {},
+ data => { optional => 1 },
nodes => { optional => 1 },
disable => { optional => 1 },
};
}
-my $outfunc = sub {
- my $line = shift;
- print "$line\n";
-};
+my $proxmox_acme_command = sub {
+ my ($self, $acme, $auth, $data, $action) = @_;
-sub extract_challenge {
- my ($self, $challenge) = @_;
+ die "No plugin data for DNSChallenge\n" if !defined($data->{plugin});
- return PVE::ACME::Challenge->extract_challenge($challenge, 'dns-01');
-}
+ my $alias = $data->{alias};
+ my $domain = $auth->{identifier}->{value};
-# The order of the parameters passed to proxmox-acme is important
-# proxmox-acme setup $plugin [$domain|$alias] $txtvalue $plugin_conf_string
-sub setup {
- my ($self, $data) = @_;
+ my $challenge = $self->extract_challenge($auth->{challenges});
+ my $key_auth = $acme->key_authorization($challenge->{token});
- die "No plugin data for DNSChallenge\n" if !defined($data->{plugin});
- my $domain = $data->{plugin}->{alias} ? $data->{plugin}->{alias} : $data->{domain};
- my $txtvalue = PVE::ACME::encode(sha256($data->{key_authorization}));
+ my $txtvalue = PVE::ACME::encode(sha256($key_auth));
my $dnsplugin = $data->{plugin}->{api};
my $plugin_conf_string = $data->{plugin}->{data};
# for security reasons, we execute the command as nobody
# we can't verify that the code of the DNSPlugins are harmless.
- my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--"];
- push @$cmd, "/usr/bin/bash", $ACME_PATH, "setup", $dnsplugin, $domain;
- push @$cmd, $txtvalue, $plugin_conf_string;
+ my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--reset-env", "--"];
- PVE::Tools::run_command($cmd, outfunc => $outfunc);
+ # The order of the parameters passed to proxmox-acme is important
+ # proxmox-acme <setup|teardown> $plugin <$domain|$alias> $txtvalue [$plugin_conf_string]
+ push @$cmd, "/bin/bash", $ACME_PATH, $action, $dnsplugin;
+ if ($alias) {
+ push @$cmd, $alias;
+ } else {
+ push @$cmd, $domain;
+ }
+ my $input = "$txtvalue\n";
+ $input .= "$plugin_conf_string\n" if $plugin_conf_string;
+
+ PVE::Tools::run_command($cmd, input => $input);
+
+ $data->{url} = $challenge->{url};
+
+ return $domain;
+};
+
+sub setup {
+ my ($self, $acme, $auth, $data) = @_;
+
+ my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup');
print "Add TXT record: _acme-challenge.$domain\n";
}
-# The order of the parameters passed to proxmox-acme is important
-# proxmox-acme teardown $plugin [$domain|$alias] $txtvalue $plugin_conf_string
sub teardown {
- my ($self, $data) = @_;
+ my ($self, $acme, $auth, $data) = @_;
- die "No plugin data for DNSChallenge\n" if !defined($data->{plugin});
- my $domain = $data->{plugin}->{alias} ? $data->{plugin}->{alias} : $data->{domain};
- my $txtvalue = PVE::ACME::encode(sha256($data->{key_authorization}));
- my $dnsplugin = $data->{plugin}->{api};
- my $plugin_conf_string = $data->{plugin}->{data};
-
- # for security reasons, we execute the command as nobody
- # we can't verify that the code of the DNSPlugins are harmless.
- my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--"];
- push @$cmd, "/usr/bin/bash", "$ACME_PATH", "teardown", $dnsplugin, $domain ;
- push @$cmd, $txtvalue, $plugin_conf_string;
- PVE::Tools::run_command($cmd, outfunc => $outfunc);
+ my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'teardown');
print "Remove TXT record: _acme-challenge.$domain\n";
}